我正在努力理解Kerberos,并与服务主体混淆。假设我想访问由Kerberos保护的NFS共享。
我有以下三个不同的节点:
- 客户端机器(具有名为test的用户(
- KDC(AS/TGS(
- NFS服务器
现在KDC包含主体数据库,用户名为test。此外,KDC还包含nfs/DOMAINNAMEFROMNFSSERVER主体。该主体还使用keytab与NFS服务器共享。为了建立kerberized nfs会话,用户test正在从KDC请求TGT。
但是,为什么互联网上的所有例子都表明客户端机器还需要一个keytab,该keytab应该包含nfs/DOMAINNAMEFROMNFSERVER主体?
我知道服务主体只需要存在于KDC数据库中并直接存在于NFS服务器上(使用keytab(。有人能澄清一下为什么密钥标签也需要出现在客户身上吗?
提前感谢您的帮助!
参考:man rpc.gssd,它包含了问题的详细答案。顺便说一句,客户端上的主体可以不同于nfs/@REALM。
手册页中的片段:
Machine Credentials
A user credential is established by a user and is then shared with the kernel and rpc.gssd. A machine credential is established by rpc.gssd for
the kernel when there is no user. Therefore rpc.gssd must already have the materials on hand to establish this credential without requiring user
intervention.
rpc.gssd searches the local system's keytab for a principal and key to use to establish the machine credential. By default, rpc.gssd assumes the
file /etc/krb5.keytab contains principals and keys that can be used to obtain machine credentials.
rpc.gssd searches in the following order for a principal to use. The first matching credential is used. For the search, <hostname> and <REALM>
are replaced with the local system's hostname and Kerberos realm.
<HOSTNAME>$@<REALM>
root/<hostname>@<REALM>
nfs/<hostname>@<REALM>
host/<hostname>@<REALM>
root/<anyname>@<REALM>
nfs/<anyname>@<REALM>
host/<anyname>@<REALM>
基本上,客户端需要机器凭据才能连接到kerberized nfs服务器。您必须添加一个nfs/<client_fully_qualified_name>主体,然后添加到本地客户端keytab中。